[CLOSED] 2FA for accounts #11514
Replies: 7 comments 12 replies
-
This idea is nice and needed IMO. I believe we could have this as a community package but we would need a few hooks in the core package for accounts in order to require an extra step in the authentication process. @denihs could also provide more insights into this as he implemented the 2FA in Meteor Cloud. And Meteor Cloud 2FA is working along side with Meteor Developer accounts so maybe we don't need any new hooks at all. Maybe we are missing other important aspects here. |
Beta Was this translation helpful? Give feedback.
-
@filipenevola I also implemented 2Fa with the NPM otplib package for one project and it used only Meteor Accounts builtins so I think it's already possible with current state of Accounts. Edit: I would Not introduce a dependency to otplib but I want to say that Accounts ist already capable for several 2Fa Setups. We just need a good Interface that works with many Workflow Implementations |
Beta Was this translation helpful? Give feedback.
-
Yeah, maybe for a first version we could use the code that I implemented on Meteor Cloud. Today it just does the authentication by email, but I think it's a start. And I think that from there we already would have the base to the other two methods. These are the functions that I export to use it, so you can get a base:
We even use two email services, postmark, and mandril. So when you request a code for the first time I send the code using one, but when you request it again I send it using the other. Maybe the package should also have this option. If you want I can share the code that implements all these functions... I would just need @filipenevola's approval as it's in a private repo 🙂. |
Beta Was this translation helpful? Give feedback.
-
I would be very much interested in seeing 2FA support added to accounts. The accounts system is a major benefit of Meteor and making it easier to add 2FA into it is a good step forward. Was planning to look into building something on my own, but now will see what happens here. |
Beta Was this translation helpful? Give feedback.
-
A question out of sheer curiosity, if https://github.com/accounts-js/accounts can be integrated in a backwards compatible way would you guys be ok with deprecating Meteor accounts system? |
Beta Was this translation helpful? Give feedback.
-
I would really like to see support for webauth as an second factor. I think there are two different ways for making use of webauth depending on the security requirements.
Due to the nature of the webauth protocoll and the currently support by all major browsers in our opinion this is superior to authenticator or email bases second factors. |
Beta Was this translation helpful? Give feedback.
-
Hi, the new package 2fa-accounts is already available in beta. You can understand how it works in this preview of the docs. Also, let's centralize the feedback in the PR for 2.6.1. |
Beta Was this translation helpful? Give feedback.
-
Create a new package that would enable 2 Factor Authentication for accounts. As I see it there are 3 that should be implemented in some way:
The idea is that if enabled the login into the account is going to be delayed until a correct code is entered. In basic accounts there should be hooks/methods that account for this and make it easy for apps to implement their own methods. By default there should be provider for e-mail authentication like we see with Meteor Cloud. I would see authentication via phone (SMS) and/or authenticator app (QR code) as a stretch goal as those would have to leave space for implementation of SMS sender provider and the application of QR code for authenticator apps.
So as I see it:
Phase 1 - extend accounts system to support 2FA
Extend the account system for the data needed for 2FA. This would require accounting for and management of the additional DB fields (something like
Accounts.add2FAToUser(userId, 'email', options)
and remove function). Following that the login function should either return user object on success or some sort of a message to proceed to 2FA part if the user has 2FA enabled. Then have a function that will receive the code, check its validity and if correct log the user in.Update: As per @denihs suggestion, this should also have backup codes functionality.
Phase 2 - create e-mail 2FA
Create a package for e-mail 2FA. This one would send the code for 2FA to the primary e-mail of the user, using the
email
package. There should be an editable template available like with the other system e-mails.Notes and thoughts
email
package that would easily allow sending the messages in a custom way, it is partially there, but could be improved.Beta Was this translation helpful? Give feedback.
All reactions